label-studio@1.10.1 vulnerabilities

Label Studio annotation tool

latest version

1.12.0.post0
latest non vulnerable version

1.12.0.post0
first published

4 years ago
latest version published

7 days ago
licenses detected
- Apache-2.0
  [1.1.0rc0,)
View label-studio package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the label-studio package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') label-studio is a Label Studio annotation tool Affected versions of this package are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') due to improper sanitization of data imported via the file upload feature before rendering within a `Choices` or `Labels` tag. An attacker can inject malicious scripts into the web page, which could be executed in the context of the user's browser session by uploading a file containing a payload. Note: This is only exploitable if the attacker has permission to use the "data import" function. How to fix Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')? Upgrade `label-studio` to version 1.11.0 or higher.	[,1.11.0)
M Server-Side Request Forgery (SSRF) label-studio is a Label Studio annotation tool Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) via the `validate_upload_url` function. An attacker can bypass SSRF protections (`SSRF_PROTECTION_ENABLED`) and access internal web servers, potentially compromising the confidentiality of those servers by using HTTP redirection or performing a DNS rebinding attack. How to fix Server-Side Request Forgery (SSRF)? Upgrade `label-studio` to version 1.11.0 or higher.	[,1.11.0)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

label-studio is a Label Studio annotation tool

Affected versions of this package are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') due to improper sanitization of data imported via the file upload feature before rendering within a Choices or Labels tag. An attacker can inject malicious scripts into the web page, which could be executed in the context of the user's browser session by uploading a file containing a payload.

Note:

This is only exploitable if the attacker has permission to use the "data import" function.

How to fix Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')?

Upgrade label-studio to version 1.11.0 or higher.

[,1.11.0)

Server-Side Request Forgery (SSRF)

label-studio is a Label Studio annotation tool

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) via the validate_upload_url function. An attacker can bypass SSRF protections (SSRF_PROTECTION_ENABLED) and access internal web servers, potentially compromising the confidentiality of those servers by using HTTP redirection or performing a DNS rebinding attack.

How to fix Server-Side Request Forgery (SSRF)?

Upgrade label-studio to version 1.11.0 or higher.

[,1.11.0)

Go back to all versions of this package

label-studio@1.10.1 vulnerabilities

Label Studio annotation tool

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities